Overview

A solution to a Cred SSP vulnerability, the “Remote Code Execution” (CVE-2018-0886) that may affect RDP linkages, was released in the March 2018 Security Newsletter. The exploits observed were found to be vulnerable:

Targets receive a malicious RTF Microsoft Office document

After opening, the malicious document allows the exploit’s second phase to be downloaded as a malicious code HTML page

The malicious code triggers the use-after-free memory-corruption bug

Accompanying shellcode then downloads and executes a malicious payload

Symptoms

1. The VM screenshot shows the OS fully loaded and waiting for the credentials

2. If you try to RDP the VM either internally or externally, you’ll get the message:

Change the group policy Encryption Oracle Remediation default setting from Vulnerable to Mitigated.

If the server or client has distinct expectations when setting up a secure RDP session, it could block the connection.

There is the possibility that the current default setting could change from the tentative update and therefore impact the expected secure session requirement.

Below is the matrix for each possible situation for RDP result:

Matrix for each possible situation for RDP result

Examples:

1. If both client & server are patched with default setting (Mitigated), RDP will work in a secure way.

Resolution/ Fix

Ensure that the recent patch is installed on both client and server sides, so RDP is set up safely.

Alternative Work-arounds

Mitigation 1

In other words, we could consider changing the policy settings of the customer to temporarily acquire RDP access to the servers if you cannot RDP to your patched client to VM.

Then, you can change the settings in Local Group Policy Editor. Next, Execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left panel:

Change Local Group Policy Editor

After that, Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable: